orcus | 23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4

General

Target

23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe
Size

920KB
MD5

753505f665835e0f8542f83252d8251c
SHA1

880a37b15bec07ce4ff748fb2e8d138754c8b636
SHA256

23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4
SHA512

91d69bcd0b6dd9e096a31db9c3778432088c69e6d329c12bba7e1803bf0dd7325338d42c76d0b6cb6a8e954a0e931754a3c7cc2f07b7c8b21700ac9b6ad9137c
SSDEEP

24576:iD54MROxnFt34cirrcI0AilFEvxHPf8oom:iSMijgrrcI0AilFEvxHP

Score

10^/10

orcus 777 rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

777

C2

10.86.6.129:3333

Mutex

bc671c436af448dd952335335bfcb715

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Windows Start
watchdog_path
AppData\WindowsUpdate.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 5 IoCs

resource	yara_rule
behavioral1/files/0x00070000000143f9-34.dat	family_orcus
behavioral1/files/0x00070000000143f9-32.dat	family_orcus
behavioral1/files/0x00070000000143f9-31.dat	family_orcus
behavioral1/files/0x00070000000143f9-29.dat	family_orcus
behavioral1/files/0x00070000000143f9-43.dat	family_orcus

Orcurs Rat Executable 7 IoCs

resource	yara_rule
behavioral1/memory/2652-0-0x0000000000AC0000-0x0000000000BAC000-memory.dmp	orcus
behavioral1/memory/3028-35-0x00000000002E0000-0x00000000003CC000-memory.dmp	orcus
behavioral1/files/0x00070000000143f9-34.dat	orcus
behavioral1/files/0x00070000000143f9-32.dat	orcus
behavioral1/files/0x00070000000143f9-31.dat	orcus
behavioral1/files/0x00070000000143f9-29.dat	orcus
behavioral1/files/0x00070000000143f9-43.dat	orcus

Executes dropped EXE 4 IoCs

pid	Process
3024	WindowsInput.exe
2616	WindowsInput.exe
3028	Orcus.exe
2544	Orcus.exe

Loads dropped DLL 2 IoCs

pid	Process
2652	23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe
2652	23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Orcus\Orcus.exe	23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe
File opened for modification	C:\Program Files (x86)\Orcus\Orcus.exe	23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe
File created	C:\Program Files (x86)\Orcus\Orcus.exe.config	23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	Orcus.exe
Token: SeDebugPrivilege	2544	Orcus.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3028	Orcus.exe
2544	Orcus.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3028	Orcus.exe
2544	Orcus.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3028	Orcus.exe
2544	Orcus.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 3024	2652	23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe	28
PID 2652 wrote to memory of 3024	2652	23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe	28
PID 2652 wrote to memory of 3024	2652	23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe	28
PID 2652 wrote to memory of 3024	2652	23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe	28
PID 2652 wrote to memory of 3028	2652	23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe	30
PID 2652 wrote to memory of 3028	2652	23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe	30
PID 2652 wrote to memory of 3028	2652	23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe	30
PID 2652 wrote to memory of 3028	2652	23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe	30
PID 2460 wrote to memory of 2544	2460	taskeng.exe	32
PID 2460 wrote to memory of 2544	2460	taskeng.exe	32
PID 2460 wrote to memory of 2544	2460	taskeng.exe	32
PID 2460 wrote to memory of 2544	2460	taskeng.exe	32

C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe
"C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3024
- C:\Program Files (x86)\Orcus\Orcus.exe
  "C:\Program Files (x86)\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3028

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2616

C:\Windows\system32\taskeng.exe
taskeng.exe {B6B3AE42-E25B-41CC-8312-09DAE1C526FD} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Program Files (x86)\Orcus\Orcus.exe
  "C:\Program Files (x86)\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Orcus\Orcus.exe

Filesize
219KB

MD5
119abef9b2f3b8b4f0605027c3a89f28

SHA1
3bfc63741106d3d4d91237f822e02c1ecf08e562

SHA256
0023b189f400fd05af0406eb00f2a0447079df7230dea5e77c7ec96d95480e88

SHA512
89768daf39248661cf4b8d8a4f040b059d2b7e06e1bcda71480e8366dbd150aa08224c520dda587cce37f15068931d39854e4f87b0b46367006f733e050d9603

Download Submit
C:\Program Files (x86)\Orcus\Orcus.exe

Filesize
275KB

MD5
ec5623d7bcf17a8ad177a0abaa0d8b53

SHA1
03ec25e7b81c115761ed48e6c4eb97581c546f82

SHA256
8baffaa8ba8adcc7e3281f0629ef6cecb5817b56847f5aef35b974a8b223bf8d

SHA512
fc5ae721e73013077c4f49ef0c55b73c30ef97967f1ccebd319e3f4970ac8a37be6e5ff564626a11776d626477a298b4cf417f505a12cb3bcd7dbdc2726a6365

Download Submit
C:\Program Files (x86)\Orcus\Orcus.exe

Filesize
398KB

MD5
8747fb0c494bc805a0f8be194e82a99f

SHA1
eb3cdca1ff70a573e5368db6e2fd32f7ef670443

SHA256
2ae01c5c9bf71a9cba2bfe89c585cf0e9d471080559de33975c34f8058d1e17f

SHA512
4dab2d6f8389a9f1c020aad6baea6cab9bfb5318e59ce1ce6f736cd17109f5e5c55a4572b8a5af3ea2ed32ca8a5980acb9f30211283be38e9edbd7f066704360

Download Submit
C:\Program Files (x86)\Orcus\Orcus.exe

Filesize
63KB

MD5
964dac46350af226913b3126e1183ab9

SHA1
4a6cb107069af8af44e8a644a8585f8dcd825434

SHA256
9814cf1bed7363e9404e251b128b4e70f8cd00e186e4d79bf81003046b6d0162

SHA512
1dac604696b4912e97b6fb437f139919af7de614c0d9ca0fc8dbfce7cd78231fc87ab620f13ad06d6079e1b39c6abc7d8683a0b0931bcd6cb32dc3c708d571a5

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\Program Files (x86)\Orcus\Orcus.exe

Filesize
401KB

MD5
90f3b8789b1a9e95fe6be3601f0ad1fb

SHA1
14bb0a612e9236a2abd91656d65c733ba87ae72d

SHA256
813602946a53cb3cfd91984b9af73228f0889a2f16a7d8157191408c6dc30337

SHA512
334c4587d312402f4ab9bbd5f40393a3cec46e2e5af6c880cada2de2f26ae893c38722132b5485d599b0634c0f3ef93888f02a972657a03ccc6c885c2cd857e4

Download Submit
memory/2544-47-0x00000000003F0000-0x0000000000430000-memory.dmp

Filesize
256KB

Download
memory/2544-44-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download
memory/2544-48-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2544-49-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download
memory/2616-22-0x0000000000E00000-0x0000000000E0C000-memory.dmp

Filesize
48KB

Download
memory/2616-24-0x0000000000E70000-0x0000000000EF0000-memory.dmp

Filesize
512KB

Download
memory/2616-51-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2616-23-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2652-0-0x0000000000AC0000-0x0000000000BAC000-memory.dmp

Filesize
944KB

Download
memory/2652-36-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download
memory/2652-5-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/2652-6-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/2652-4-0x0000000004270000-0x00000000042CC000-memory.dmp

Filesize
368KB

Download
memory/2652-3-0x0000000000210000-0x000000000021E000-memory.dmp

Filesize
56KB

Download
memory/2652-2-0x0000000004310000-0x0000000004350000-memory.dmp

Filesize
256KB

Download
memory/2652-1-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download
memory/3024-20-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/3024-17-0x0000000000270000-0x00000000002F0000-memory.dmp

Filesize
512KB

Download
memory/3024-16-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/3024-15-0x0000000000C20000-0x0000000000C2C000-memory.dmp

Filesize
48KB

Download
memory/3028-38-0x0000000004960000-0x00000000049A0000-memory.dmp

Filesize
256KB

Download
memory/3028-42-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/3028-45-0x0000000004960000-0x00000000049A0000-memory.dmp

Filesize
256KB

Download
memory/3028-41-0x0000000004C80000-0x0000000004C98000-memory.dmp

Filesize
96KB

Download
memory/3028-35-0x00000000002E0000-0x00000000003CC000-memory.dmp

Filesize
944KB

Download
memory/3028-39-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/3028-40-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/3028-50-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download
memory/3028-37-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing